From patchwork Wed Nov 23 15:35:40 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Turnbull X-Patchwork-Id: 13053867 X-Patchwork-Delegate: kvalo@adurom.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 80D6CC433FE for ; Wed, 23 Nov 2022 15:35:55 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237740AbiKWPfy (ORCPT ); Wed, 23 Nov 2022 10:35:54 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49162 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237210AbiKWPfv (ORCPT ); Wed, 23 Nov 2022 10:35:51 -0500 Received: from mail-qt1-x830.google.com (mail-qt1-x830.google.com [IPv6:2607:f8b0:4864:20::830]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 322951161 for ; Wed, 23 Nov 2022 07:35:51 -0800 (PST) Received: by mail-qt1-x830.google.com with SMTP id a27so11408662qtw.10 for ; Wed, 23 Nov 2022 07:35:51 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com; s=google; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=YcEd0uKVX5Vx/FXDpHViklYQ6RAhuSZUrYNICOdpZ44=; b=I+Q8RXW4JCTR7ksow0zKJr77nBLVMD+Icq/ogcNJ9OmPETms5UtxKM/lNxM0EtmJGj hccKPNFga8itE//hmdDEvf8/PBGfKhKuNzyuiqBXh8VwVZtFOebSJia0VT08FI2v8fu5 A9AJXCo7dxGmvZ22UjloMaX0Q4DLh07Lxd6gQtzsexUeffEU2JATVw1rs4FH7OZXA3QH L3U0WQ7EzIiHX8X+0YsqlNqUZMCi/QYMNq0Fr3y+deUgZJmca9r2ulHTUCsaaQc74Wdh W67VkNyGVutYruGWV2y9+MrD0fuJ2G6yAydYnO3MYWbfDzoL1q1rJUDDUfkJUiZKzEYO yA+g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=YcEd0uKVX5Vx/FXDpHViklYQ6RAhuSZUrYNICOdpZ44=; b=KeepZhgZoJ9MhhxT5UogMdncF73j+8vLUYoryYBUZFEWaERu0UjdrHE8MU/YscuLsm daRJRU+BSIQ46InJSOvmgZ1nVtfSsk3GzpyepeOulWDSQCSNXkFEZuTtlHz1Zo2seoXO TA24rQLtN4Rq7TLEfOAedGyAIri11A/4mzb//sMMxu2wwHamUatqBu9+ieukmdTwu4we 7CVs9DWi2EoDEgaNHx9tWljcRYmlfRgo0Fjm8zIhvvIuwfigQ4AHbmZ0VYAqkeg+MLcq gAoFayv0v8RILXnelDJoywQwwk3IN0HKHb0b45jlcttJK6dF69Wt+CoPQ49eTdx4VnPl xQLg== X-Gm-Message-State: ANoB5plFCBle3G+Po2SDzEAnGVysQJYy8/0AhvDiGpcdSCaLBX/2vIws KYCD+yMEQ4bru1EJw3peMxH0aR0xQ8zOqwMeifvMeWFlHxD+3YyD9QjuBn3Bqjk/MMmGI2MIY4t yKbI3NhfYAxsRSY+wBd0rARS/fksJwn38U8Uq/toHhKZsD2IxD6JDzSSxfKY5rUWzRcs8znhMGn pwO2ZSmTU6uNI= X-Google-Smtp-Source: AA0mqf49FyNap30xhv6kOPez9FfiSJtmGpKXxbbJf2dkqWY+hg491oqJN9aHINvzeG3CAtZezv3jEA== X-Received: by 2002:ac8:488f:0:b0:3a6:fa9:bcca with SMTP id i15-20020ac8488f000000b003a60fa9bccamr27533721qtq.652.1669217750173; Wed, 23 Nov 2022 07:35:50 -0800 (PST) Received: from localhost.localdomain (c-73-218-151-107.hsd1.ct.comcast.net. [73.218.151.107]) by smtp.gmail.com with ESMTPSA id u12-20020a37ab0c000000b006bb29d932e1sm11990296qke.105.2022.11.23.07.35.49 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 23 Nov 2022 07:35:49 -0800 (PST) From: Phil Turnbull To: linux-wireless@vger.kernel.org Cc: ajay.kathat@microchip.com, claudiu.beznea@microchip.com, kvalo@kernel.org, Phil Turnbull Subject: [PATCH 1/4] wifi: wilc1000: validate pairwise and authentication suite offsets Date: Wed, 23 Nov 2022 10:35:40 -0500 Message-Id: <20221123153543.8568-2-philipturnbull@github.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20221123153543.8568-1-philipturnbull@github.com> References: <20221123153543.8568-1-philipturnbull@github.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org There is no validation of 'offset' which can trigger an out-of-bounds read when extracting RSN capabilities. Signed-off-by: Phil Turnbull Tested-by: Ajay Kathat Acked-by: Ajay Kathat --- drivers/net/wireless/microchip/wilc1000/hif.c | 21 ++++++++++++++----- 1 file changed, 16 insertions(+), 5 deletions(-) diff --git a/drivers/net/wireless/microchip/wilc1000/hif.c b/drivers/net/wireless/microchip/wilc1000/hif.c index eb1d1ba3a443..67df8221b5ae 100644 --- a/drivers/net/wireless/microchip/wilc1000/hif.c +++ b/drivers/net/wireless/microchip/wilc1000/hif.c @@ -482,14 +482,25 @@ void *wilc_parse_join_bss_param(struct cfg80211_bss *bss, rsn_ie = cfg80211_find_ie(WLAN_EID_RSN, ies->data, ies->len); if (rsn_ie) { + int rsn_ie_len = sizeof(struct element) + rsn_ie[1]; int offset = 8; - param->mode_802_11i = 2; - param->rsn_found = true; /* extract RSN capabilities */ - offset += (rsn_ie[offset] * 4) + 2; - offset += (rsn_ie[offset] * 4) + 2; - memcpy(param->rsn_cap, &rsn_ie[offset], 2); + if (offset < rsn_ie_len) { + /* skip over pairwise suites */ + offset += (rsn_ie[offset] * 4) + 2; + + if (offset < rsn_ie_len) { + /* skip over authentication suites */ + offset += (rsn_ie[offset] * 4) + 2; + + if (offset + 1 < rsn_ie_len) { + param->mode_802_11i = 2; + param->rsn_found = true; + memcpy(param->rsn_cap, &rsn_ie[offset], 2); + } + } + } } if (param->rsn_found) { From patchwork Wed Nov 23 15:35:41 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Turnbull X-Patchwork-Id: 13053868 X-Patchwork-Delegate: kvalo@adurom.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3FD81C4332F for ; Wed, 23 Nov 2022 15:35:57 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237825AbiKWPfz (ORCPT ); Wed, 23 Nov 2022 10:35:55 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49196 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236354AbiKWPfy (ORCPT ); Wed, 23 Nov 2022 10:35:54 -0500 Received: from mail-qk1-x72a.google.com (mail-qk1-x72a.google.com [IPv6:2607:f8b0:4864:20::72a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6E8BD7818E for ; Wed, 23 Nov 2022 07:35:53 -0800 (PST) Received: by mail-qk1-x72a.google.com with SMTP id d7so12649578qkk.3 for ; Wed, 23 Nov 2022 07:35:53 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com; s=google; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=ILrrTlt7glj7jRujaJkBk6baf5IG4t3ahOvYJI1MVcA=; b=KwtCFmMQewxxZnxaFKZblBQJGt42ydUC7qF87da4aMyVpKIj251nuN+fEm86qcCR2Z WcpoRGRuhztWDCVwgDupbQ+iMU1n3tGi76oQqxyWEorlqNn1U5n/sUPlOWLFhoPV+FD+ b68TKOvyT2uI7qrK919seB9ve6d5QEDM9oQg1V6lSjjh8NbbS+cb13s/iH8fjXMz5Xfj 9Q5x12lxqt87yP52t/HA83xf+rVSdowOiMpQJUta6uDXzvfLvD8A8l86H4xy2mnq8L2w pepkhjpKRs0gkXsgvjYMQF+UNvKbWzQzwmr7H/utQ0KTktBHeyQYX6ppZj4twa6L0Fbr 6KqA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=ILrrTlt7glj7jRujaJkBk6baf5IG4t3ahOvYJI1MVcA=; b=fpnBBabyP2sZ1Cn6Xptg5lQmchLgyKQZJAk/YQA77k5MqIr5Vbr0Wmc4xT61ZBbJ74 hcw6GZ3bmC3CObLw1rXGukgBlXhZxCE9BCZAZLIFUXqanzymKchKoxDEB7XdQb50qiZQ wQXRws88iicouyzm7P8gQ3qjphBhY1E9nLtQI1cjtE4pB/kk/EgUmHW08Y2de7a9aJc7 iS5QtG/hNdaroGfsTg/exC8IgfCZsnIinMCEFMT+u9l6qWB1sVoSpjUxX/u9FlMijO5a AhobOJI7x1tfWTb0axgGYxUuumAq3Ynj/H8fQHu92IC8qX8tXtouPdIYDLCdABUulw8L m4zw== X-Gm-Message-State: ANoB5pl2QLANCHGbF2eW+8ufXhsIUfd/5JmkkoooIJaOw7P90ic2uxg0 iVKNuQAmogV7CpRmutoywKkVcgs+L/ndZFdnTzvkg2cOmtA0Ur4weA5qvBpkiDm+j45LMWidHU2 gK5G6Wur1WQcBBY28b1T4sOO1wij4LrhasNrLfjRY/6f9LXqkmjzVGp/hScT2VMTArMNS41Ux8/ kdpxI4uDrPD8A= X-Google-Smtp-Source: AA0mqf7nsgL3zen3LyDO4H8OR2wz+CpwC40C6JXQU6QnKY9XQB/uOUmgB70ylkOKEao7lKE6IOygUQ== X-Received: by 2002:a05:620a:102f:b0:6fa:2050:ea8b with SMTP id a15-20020a05620a102f00b006fa2050ea8bmr8866246qkk.429.1669217752385; Wed, 23 Nov 2022 07:35:52 -0800 (PST) Received: from localhost.localdomain (c-73-218-151-107.hsd1.ct.comcast.net. [73.218.151.107]) by smtp.gmail.com with ESMTPSA id u12-20020a37ab0c000000b006bb29d932e1sm11990296qke.105.2022.11.23.07.35.51 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 23 Nov 2022 07:35:52 -0800 (PST) From: Phil Turnbull To: linux-wireless@vger.kernel.org Cc: ajay.kathat@microchip.com, claudiu.beznea@microchip.com, kvalo@kernel.org, Phil Turnbull Subject: [PATCH 2/4] wifi: wilc1000: validate length of IEEE80211_P2P_ATTR_OPER_CHANNEL attribute Date: Wed, 23 Nov 2022 10:35:41 -0500 Message-Id: <20221123153543.8568-3-philipturnbull@github.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20221123153543.8568-1-philipturnbull@github.com> References: <20221123153543.8568-1-philipturnbull@github.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org Validate that the IEEE80211_P2P_ATTR_OPER_CHANNEL attribute contains enough space for a 'struct struct wilc_attr_oper_ch'. If the attribute is too small then it triggers an out-of-bounds write later in the function. Signed-off-by: Phil Turnbull Tested-by: Ajay Kathat Acked-by: Ajay Kathat --- drivers/net/wireless/microchip/wilc1000/cfg80211.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/drivers/net/wireless/microchip/wilc1000/cfg80211.c b/drivers/net/wireless/microchip/wilc1000/cfg80211.c index 9bbfff803357..aedf0e8b69b9 100644 --- a/drivers/net/wireless/microchip/wilc1000/cfg80211.c +++ b/drivers/net/wireless/microchip/wilc1000/cfg80211.c @@ -959,14 +959,24 @@ static inline void wilc_wfi_cfg_parse_ch_attr(u8 *buf, u32 len, u8 sta_ch) return; while (index + sizeof(*e) <= len) { + u16 attr_size; + e = (struct wilc_attr_entry *)&buf[index]; + attr_size = le16_to_cpu(e->attr_len); + + if (index + sizeof(*e) + attr_size > len) + return; + if (e->attr_type == IEEE80211_P2P_ATTR_CHANNEL_LIST) ch_list_idx = index; - else if (e->attr_type == IEEE80211_P2P_ATTR_OPER_CHANNEL) + else if (e->attr_type == IEEE80211_P2P_ATTR_OPER_CHANNEL && + attr_size == (sizeof(struct wilc_attr_oper_ch) - sizeof(*e))) op_ch_idx = index; + if (ch_list_idx && op_ch_idx) break; - index += le16_to_cpu(e->attr_len) + sizeof(*e); + + index += sizeof(*e) + attr_size; } if (ch_list_idx) { From patchwork Wed Nov 23 15:35:42 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Turnbull X-Patchwork-Id: 13053869 X-Patchwork-Delegate: kvalo@adurom.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 63555C4332F for ; Wed, 23 Nov 2022 15:35:59 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237963AbiKWPf5 (ORCPT ); Wed, 23 Nov 2022 10:35:57 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49232 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S238191AbiKWPf4 (ORCPT ); Wed, 23 Nov 2022 10:35:56 -0500 Received: from mail-qk1-x72d.google.com (mail-qk1-x72d.google.com [IPv6:2607:f8b0:4864:20::72d]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 94B486D4A9 for ; Wed, 23 Nov 2022 07:35:55 -0800 (PST) Received: by mail-qk1-x72d.google.com with SMTP id g10so12643749qkl.6 for ; Wed, 23 Nov 2022 07:35:55 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com; s=google; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=eQ5QDI4af4ZfNZG5o47ipt1XsCibRZfQcbTvzmxsb0Q=; b=UXH+gEi3Vz3AsonhO6331s4+ZrwyinoMrX5DaVsDRC4kX7EeMgh76h75cUHBxyPo6Y 3yFzOyNwcOz5rL4kGaen5QS+uYys1gyyHkqx4MwWO6dN+ZkVdnYZkDHpVrU4l4JVZ4KX /fw0lhQ5y22+T4JRlA2+6PkISuALYioPiFY+nwOE8Y1eC9i5/AomVD4x891SE22ag1iE hqjRc5SPDTHxNj8V4zr1upz0iUmpsPRN5DYeuciX4jVrbc0OrdqVKlUm7j/KFIx7FGLc OuUCHYNhjhHq6BfUNzWOIuthiXM4K7XyocNA/XLBlKs1Ds42u+I32v09ueNyZCHsPA/I 0w+Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=eQ5QDI4af4ZfNZG5o47ipt1XsCibRZfQcbTvzmxsb0Q=; b=XEBouzc79+5U4qh+Wf2x2kkPGqNtMOojZSZAAeO2Ec2U6b17whAOhDh7BeGUrYM+jR c+tpbQOTyEY9YsbzJiXSgkC+Yn3fCXtzuBKmGd1QkAtGgtXy2lwDxolAL7XDuSeuXGIY GuRSufszJKq5NL97d6a7P3vnYklA1v2qElYKMlLX4gG8Zkf/IgCuuO/xiH/9k/xo8Wad UzBycyNQtyH7taJZD7ksqEmIqQ9StlU9AAtf5mk5fBhL/i6Ro4UQNS0OVGL/+hZnxoyx lOgVwT2Lu08EF5Sv4Pciz3nbGTE5Su4uLLPpPsGn0tePxXWD4y9fpz7n3og02zc93M3z Fz+A== X-Gm-Message-State: ANoB5pmSSVQBSC8ChDrWYof3Nqmzbl+j/m8ZjMAsh0bAshrxLTliAiRt AugMHqAWIKZx+a33VIh8BI4in/rIM/FgXXS4Kq6c5ew/hbf847QtAJjZipgYWGS4pCeRVir/PCz voYfkUyBeS7cnLQvsnUJz+Mp/wbqO+/WcBEUxZ5YWlhozQhBqtNIhbQLiri8QT6vzCLNY5fc014 uVEtZCz/ecxWc= X-Google-Smtp-Source: AA0mqf4C5A9IM8iRGgd5d0llNO/2pGsakRk9uZsAYo3cuMbYjngrCG01BYAXo3/ogMLVeOQ9yZIAiA== X-Received: by 2002:a05:620a:d41:b0:6fb:38cd:adee with SMTP id o1-20020a05620a0d4100b006fb38cdadeemr26069884qkl.703.1669217754594; Wed, 23 Nov 2022 07:35:54 -0800 (PST) Received: from localhost.localdomain (c-73-218-151-107.hsd1.ct.comcast.net. [73.218.151.107]) by smtp.gmail.com with ESMTPSA id u12-20020a37ab0c000000b006bb29d932e1sm11990296qke.105.2022.11.23.07.35.53 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 23 Nov 2022 07:35:54 -0800 (PST) From: Phil Turnbull To: linux-wireless@vger.kernel.org Cc: ajay.kathat@microchip.com, claudiu.beznea@microchip.com, kvalo@kernel.org, Phil Turnbull Subject: [PATCH 3/4] wifi: wilc1000: validate length of IEEE80211_P2P_ATTR_CHANNEL_LIST attribute Date: Wed, 23 Nov 2022 10:35:42 -0500 Message-Id: <20221123153543.8568-4-philipturnbull@github.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20221123153543.8568-1-philipturnbull@github.com> References: <20221123153543.8568-1-philipturnbull@github.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org Validate that the IEEE80211_P2P_ATTR_CHANNEL_LIST attribute contains enough space for a 'struct wilc_attr_oper_ch'. If the attribute is too small then it can trigger an out-of-bounds write later in the function. 'struct wilc_attr_oper_ch' is variable sized so also check 'attr_len' does not extend beyond the end of 'buf'. Signed-off-by: Phil Turnbull Tested-by: Ajay Kathat Acked-by: Ajay Kathat --- drivers/net/wireless/microchip/wilc1000/cfg80211.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/net/wireless/microchip/wilc1000/cfg80211.c b/drivers/net/wireless/microchip/wilc1000/cfg80211.c index aedf0e8b69b9..c4d5a272ccc0 100644 --- a/drivers/net/wireless/microchip/wilc1000/cfg80211.c +++ b/drivers/net/wireless/microchip/wilc1000/cfg80211.c @@ -967,7 +967,8 @@ static inline void wilc_wfi_cfg_parse_ch_attr(u8 *buf, u32 len, u8 sta_ch) if (index + sizeof(*e) + attr_size > len) return; - if (e->attr_type == IEEE80211_P2P_ATTR_CHANNEL_LIST) + if (e->attr_type == IEEE80211_P2P_ATTR_CHANNEL_LIST && + attr_size >= (sizeof(struct wilc_attr_ch_list) - sizeof(*e))) ch_list_idx = index; else if (e->attr_type == IEEE80211_P2P_ATTR_OPER_CHANNEL && attr_size == (sizeof(struct wilc_attr_oper_ch) - sizeof(*e))) From patchwork Wed Nov 23 15:35:43 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Turnbull X-Patchwork-Id: 13053870 X-Patchwork-Delegate: kvalo@adurom.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id DA62AC4332F for ; Wed, 23 Nov 2022 15:36:01 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S238250AbiKWPgA (ORCPT ); Wed, 23 Nov 2022 10:36:00 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49258 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S238042AbiKWPf7 (ORCPT ); Wed, 23 Nov 2022 10:35:59 -0500 Received: from mail-qt1-x82a.google.com (mail-qt1-x82a.google.com [IPv6:2607:f8b0:4864:20::82a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7440473B8F for ; Wed, 23 Nov 2022 07:35:58 -0800 (PST) Received: by mail-qt1-x82a.google.com with SMTP id s4so11431915qtx.6 for ; Wed, 23 Nov 2022 07:35:58 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com; s=google; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=iSfnO0oLUvR/YHRda4SUn9qpHU5N545eEU/vyWcDNSs=; b=IlDj/ixSzEJ7qI4m70X7ywNtqUijdynODGQNoDHpdHsQSmUm6IibulgOqhx759hfRc sgSrp+r+zd4DCCkWjFB/Vkc+YMKx+3yOVb+kzP8gE+ZPnOsAS4o7WRzuQN28tJGAI3cY 1W17x3r9gfraWtFirC+ITMytn3OCwio/4uV3sNhcAcW5+IWEQopYi2Ja//Qnhr3lqtW3 TVlTFzr5l7X71GWGscGEkKWsVw5wrU9MheWr/odcG9RO1zsheBRvo9KU8ROo+v2EPswG j3HqorxenMDaGKyclRj2kMSq2tdwEcTgY3shXOR17m/nspYoQN5dyHjaj8LGrF+CxpE6 zCEw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=iSfnO0oLUvR/YHRda4SUn9qpHU5N545eEU/vyWcDNSs=; b=chPU52ntAH33Csr3QMFkxuVrbFwJRA945V31l0LGFW0uyGRhoEWZ88CgllcgPyxyI/ c9PEjJQqVpS3mc6Wx2QHSzrBZvE2CIi7Wp0cjUfq3ajCGhUa4b2s+ALnAWJ4uDDT+t7d skW5Hlyb9fSgYrAivFrnROO7tLRW6CFBhZCOzAgc2oE48wMIVqO7DFav17UXgKA6xAqe 81DK/Pjy/+qCNLfgZgEQApdwr9XXtKgzJ0rOBC+W58X31fJFq1XxOZWo6Hxjk0ycRWGw r0x2uwpcgi6S8sYj+n0PJB0JwEEV0Ybd9Uwp52ihYn3B/4agyGbpLMxpXzuOgA9ULPQX PbuA== X-Gm-Message-State: ANoB5pncGCttxkfxms6wNKgMyge5JNnmE6+7pEGSj3rMp3WDC1mdUEPU rzprwF3w8hCbPdP5KbbsoKY8gqVgPDr3h453XsffMuRtQ0g5TualeJdtQUYNoen7y2GM9U+XTz4 mjUxmRyh7xpl3ua4gjkxH2C6LNNF3xd6nicWnBHOE6Alh3zqopD84v3XQyUtXbDc7cd9wSVkYEN BghHeJYKvm7fA= X-Google-Smtp-Source: AA0mqf755Mojwkr0Kqso5W1wkXlf1OICk3ws3kZY270zJrI4TKozzyDg1Btns+2hgdMpjt7vY4AitQ== X-Received: by 2002:ac8:7343:0:b0:3a4:c30b:c640 with SMTP id q3-20020ac87343000000b003a4c30bc640mr8314182qtp.25.1669217757151; Wed, 23 Nov 2022 07:35:57 -0800 (PST) Received: from localhost.localdomain (c-73-218-151-107.hsd1.ct.comcast.net. [73.218.151.107]) by smtp.gmail.com with ESMTPSA id u12-20020a37ab0c000000b006bb29d932e1sm11990296qke.105.2022.11.23.07.35.56 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 23 Nov 2022 07:35:56 -0800 (PST) From: Phil Turnbull To: linux-wireless@vger.kernel.org Cc: ajay.kathat@microchip.com, claudiu.beznea@microchip.com, kvalo@kernel.org, Phil Turnbull Subject: [PATCH 4/4] wifi: wilc1000: validate number of channels Date: Wed, 23 Nov 2022 10:35:43 -0500 Message-Id: <20221123153543.8568-5-philipturnbull@github.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20221123153543.8568-1-philipturnbull@github.com> References: <20221123153543.8568-1-philipturnbull@github.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org There is no validation of 'e->no_of_channels' which can trigger an out-of-bounds write in the following 'memset' call. Validate that the number of channels does not extends beyond the size of the channel list element. Signed-off-by: Phil Turnbull Tested-by: Ajay Kathat Acked-by: Ajay Kathat --- .../wireless/microchip/wilc1000/cfg80211.c | 22 ++++++++++++++----- 1 file changed, 16 insertions(+), 6 deletions(-) diff --git a/drivers/net/wireless/microchip/wilc1000/cfg80211.c b/drivers/net/wireless/microchip/wilc1000/cfg80211.c index c4d5a272ccc0..b545d93c6e37 100644 --- a/drivers/net/wireless/microchip/wilc1000/cfg80211.c +++ b/drivers/net/wireless/microchip/wilc1000/cfg80211.c @@ -981,19 +981,29 @@ static inline void wilc_wfi_cfg_parse_ch_attr(u8 *buf, u32 len, u8 sta_ch) } if (ch_list_idx) { - u16 attr_size; - struct wilc_ch_list_elem *e; - int i; + u16 elem_size; ch_list = (struct wilc_attr_ch_list *)&buf[ch_list_idx]; - attr_size = le16_to_cpu(ch_list->attr_len); - for (i = 0; i < attr_size;) { + /* the number of bytes following the final 'elem' member */ + elem_size = le16_to_cpu(ch_list->attr_len) - + (sizeof(*ch_list) - sizeof(struct wilc_attr_entry)); + for (unsigned int i = 0; i < elem_size;) { + struct wilc_ch_list_elem *e; + e = (struct wilc_ch_list_elem *)(ch_list->elem + i); + + i += sizeof(*e); + if (i > elem_size) + break; + + i += e->no_of_channels; + if (i > elem_size) + break; + if (e->op_class == WILC_WLAN_OPERATING_CLASS_2_4GHZ) { memset(e->ch_list, sta_ch, e->no_of_channels); break; } - i += e->no_of_channels; } }